You have three mutually exclusive options, depending on how you choose to manage encryption keys:
-
Server side encryption (SSE-S3) having Amazon S3 escrow key - using the unique key to encrypt each object. As additional protection, it will use the master key of the regular rotation of the key itself is encrypted . Amazon S3 Server Side Encryption using one of the strongest block ciphers available (256-bit Advanced Encryption Standard ( AES-256 to encrypt your data)). For more information, see having Amazon S3 hosted server encrypted encryption key (SSE-S3) protected data .
-
Use Server Side Encryption (SSE-KMS) has AWS KMS escrow keys - similar to the SSE-S3, but using this service has some additional benefits as well as some additional costs. So that an envelope key (i.e., Envelope Key key encryption keys to protect data) require a separate permission envelope key may further prevent unauthorized access to objects in Amazon S3. SSE-KMS also provides your time and key users of the audit trail . In addition, you can choose to create and manage their own encryption keys, or use a unique default key for the service you use and your work area is. For more information, see using a server-side encryption AWS KMS escrow keys (SSE-KMS) to protect data .
-
Customers using a server-side encryption key (SSE-C) - You manage the encryption key , and Amazon S3 management encryption (when its disk writes) and decryption (when you visit your object). For more information, see the server-side encryption by using the encryption key provided by the customer (SSE-C) to protect the data .
-
Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).
-
Use Server-Side Encryption with Keys Stored in AWS KMS (SSE-KMS) – Similar to SSE-S3, but with some additional benefits along with some additional charges for using this service. There are separate permissions for the use of an envelope key (that is, a key that protects your data's encryption key) that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom. Additionally, you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the service you're using, and the Region you're working in. For more information, see Protecting Data Using Server-Side Encryption with keys stored in AWS KMS(SSE-KMS).
-
Use Server-Side Encryption with Customer-Provided Keys (SSE-C) – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects. For more information, see Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C).